On 2025-08-04 10:55 a.m., Alexander Bokovoy wrote:
On Пан, 04 жні 2025, TomK via FreeIPA-users wrote:
ipa idrange-find mds.xyz_id_range
----------------
2 ranges matched
----------------
Range name: MDS.XYZ_id_range
First Posix ID of the range: 155600000
Number of IDs in the range: 2000000
First RID of the corresponding RID range: 155600000
Domain SID of the trusted domain:
S-1-5-21-1803828911-4163023034-2461700517
Range type: Active Directory domain range
The SID S-1-5-21-1803828911-4163023034-2461700517-1104 corresponds
to a domain SID S-1-5-21-1803828911-4163023034-2461700517 and a RID
1104.
Domain sid falls into the range MDS.XYZ_id_range which has rids
between 155600000 and 155600000+2000000 => 1004 is outside of the
rid range.
Did you manually create or modify this AD range?
flo
[...]
Ok so this worked.
ipa idrange-mod MDS.XYZ_id_range --rid-base=0
ipa: WARNING: Service sssd.service requires restart on IPA server
MDS.XYZ_id_range to apply configuration changes.
------------------------------------
Modified ID range "MDS.XYZ_id_range"
------------------------------------
Range name: MDS.XYZ_id_range
First Posix ID of the range: 155600000
Number of IDs in the range: 2000000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain:
S-1-5-21-1803828911-4163023034-2461700517
Range type: Active Directory domain range
# id [email protected]
id: [email protected]: no such user
# systemctl stop sssd; rm -f /var/lib/sss/db/*; systemctl start sssd
# id [email protected]
uid=155601104([email protected]) gid=155601104([email protected])
Using --rid-base=0 is not recommended. Please try at least above 1000 to
avoid mapping well-known SIDs (0..999) to wrong POSIX IDs.
#1 ---
Still the math troubles me:
"155600000 and 155600000+2000000 => 1004"
You have ID range that says 'RIDs can be between 155600000 and
155600000+2000000' and we map them to POSIX IDs starting with 155600000.
RID 1104 does not fit into it. Not sure who set 'first RID of the RID
range' in this ID range to be that high. Typically user/group/host RIDs
of the domain start from 1000 and go up.
The RID range mapping is used to map RIDs to POSIX IDs.
If you have RID 1104 and your 'first RID' is 0, then we get POSIX ID by
(RID - firstRID) + firstPOSIX_ID = (1004 - 0) + 155600000 = 155601104
Thanks very much for this. I've set the RID Base (First RID of the
corresponding RID range:) to 1000 then:
# ipa idrange-mod MDS.XYZ_id_range --rid-base=1000
ipa: WARNING: Service sssd.service requires restart on IPA server
MDS.XYZ_id_range to apply configuration changes.
------------------------------------
Modified ID range "MDS.XYZ_id_range"
------------------------------------
Range name: MDS.XYZ_id_range
First Posix ID of the range: 155600000
Number of IDs in the range: 2000000
First RID of the corresponding RID range: 1000
Domain SID of the trusted domain:
S-1-5-21-1803828911-4163023034-2461700517
Range type: Active Directory domain range
You have mail in /var/spool/mail/root
# systemctl stop sssd; rm -f /var/lib/sss/db/*; systemctl start sssd
# id [email protected]
uid=155600104([email protected]) gid=155600104([email protected])
Therefore using the formula we get:
RID : 1104
firstRID : 1000
firstPOSIX_ID : 155600000
(RID - firstRID) + firstPOSIX_ID = ( 1104 - 1000 ) + 155600000 = 155600104
which is what I see above. So this is making sense now.
Problem is that looks like I had "First RID of the corresponding RID
range:" set to 0 at some point. Now when it's set to 1000, can't use
the ID anymore since the home folders etc are owned by 15560"1"104
vs 15560"0"104
And hence will put "First RID of the corresponding RID range:" back to 0
for now. I'll have to tinker changing them all to the new ID's later on
when I use 1000.
Thank you again!
--
Thx,
TK.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
